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PRE- APPEAL BRIEF REQUEST FOR REVIEW 



Mail Stop AF 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Dear Sir: 

In response to the final Office Action mailed on September 8, 2006, Applicant respectfully 
requests all rejections in view of the following remarks to be withdrawn. Applicant is submitting 
herewith a Notice of Appeal along with the requisite fee. Claims 1-54 are pending. 
I. THE OBVIOUSNESS REJECTION 

Claims 1-4, 11, 12, 15, 16, 20-22, 25-33, 36-43, and 46-54 stand rejected under 35 U.S.C. § 
103(a), as allegedly being unpatentable over "AppShield Provides Block Against Application Hacks," 
Report on Electronic Commerce, BRP Publications ("BRP") in view of U.S. Patent No. 6,584,569 to 
Reshef, et al. ("Reshef '). Office Action at page 2. Of note, the Examiner contends that BRP teaches all 
of the claim limitations except for "designating an application path of an application as restricted." Id. 
Applicant respectfully traverses this rejection or the following grounds. 

A. There Is No Motivation To Combine BRP And Reshef. 



See Reply Dated June 15, 2006, pages 17-18 for a summary of the functionality of AppShield and 
Reshef, respectively. In sum, AppShield is an application layer firewall, whereas Reshef is a 
vulnerability scanner. The functionality of AppShield is premised on the fact that outgoing pages, and in 
turn the incoming requests for those pages, have met a security policy in place. Thus, unexpected 
incoming requests are rejected by AppShield. Dissimilarly, Reshef utilizes a scanning mechanism to 
identify and attack possible vulnerabilities. Combining AppShield with Reshef would result in the 



i. 



The Proposed Modification Would Render AppShield Unsatisfactory 
For Its Intended Purpose Because AppShield And Reshef Are 
Inoperable Together 
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attacking mechanism of Reshef bombarding a web application protected by AppShield. In such a 
situation, AppShield would fail, as the expected incoming requests would in fact be the illegal requests 
generated by Reshef. Ironically, if Reshef and AppShield were combined, only benign incoming requests 
would be rejected by AppShield. 

ii. AppShield's Principle Of Operation Would Change Because 
AppShield's "On-The-Fly" Security Policy Would Be Undermined By 
Combining AppShield And Reshef 

AppShield's dynamic policy is generated " on-the-fly " from outgoing web pages; it does not 
utilize pre-identified information . See BRP lines 23-25. In contrast, Reshef utilizes a scanning 
mechanism to merely identify known , and variations of known, vulnerabilities. See Reshef at column 2, 
lines 24-28. Modifying AppShield to utilize previously identified information of known vulnerabilities 
would thus not only change AppShield's principle of operation, but would also be an unsatisfactory 
modification of AppShield, as AppShield is intended to adapt and respond to security vulnerabilities 
before they can be detected and addressed by traditional means, including the scanner disclosed in 
Reshef. See BRP, lines 17-21. 

iii. Independent Claim 1 

The Examiner's statement that "it would have been obvious... to include the application path of 
the application restricted with BRP publications...." is insufficient to support a finding of obviousness. 
See Office Action at pages 2-3. First, the statement is ambiguous and fails to properly convey the 
Examiner's reasoning to support a conclusion of obvious subject matter. Second, even the inclusion of 
the purported subject matter (i.e., an application path) does not fully address nor even reach the entire 
scope of the claimed invention, as the claimed invention expressly recites the step of "designating an 
application path of an application as restricted." (emphasis added). The Examiner fails to specifically 
address why it would have been obvious to include within AppShield an additional step of designating an 
application path as restricted. 

iv. Independent Claim 27 

The Examiner's contention that "it would have been obvious. . .to combine BRP with Reshef, both 
teaches protecting an application from hackers, the motivation to protect application from hackers is that a 
hacker can alter a parameter in an http request, and freeze the application" does not make logical sense. 
See Office Action at page 8. Furthermore, Reshef does not protect an application from hackers, it merely 
mimics what a hacker might do to discover vulnerabilities. See Reshef column 2, lines 24-28. 
Accordingly, the Examiner fails to properly address why, for claim 27, one of ordinary skill in the art 
would be motivated to combine BRP with Reshef. 
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B. The Proposed Combination Does Not Teach Or Suggest All Of The Claim 
Limitations. 

i. Independent Claim 1 

BRP, either taken alone or in combination with Reshef, fails to teach or suggest "designating an 
application path of an application as restricted," as recited in claim 1. First, detecting and identifying a 
message , as disclosed in Reshef, is distinct from designating an application path . An application path is 
represented as a virtual directory or logical name. See, e.g, specification, page 10, lines 7-10. The 
Examiner appears to have missed this distinction. See Office Action at page 13 (stating "wherein the 
application path is a virtual directory or subdirectory") (emphasis added). An application path is a 
location of an application on a server. See, e.g., specification, page 10, lines 9-10; page 10, line 8; Fig. 
2D. An application path, as claimed, can be represented by a message, but it is not itself a message. See 
Reply Dated June 15, 2006, at page 21 for an example that makes the distinction clear. Wholly absent 
from Reshef and BRP is any disclosure regarding anything as specific as a location of an application on a 
server represented as a virtual directory or logical name. Second, Reshef only discloses mutating data and 
path parameters according to pre-defined vulnerability detection rules. See Reshef column 8, lines 61-67; 
column 9, lines 1-3 and 31-53. Certainly one of ordinary skill in the art does not equate mutating path 
parameters, as disclosed in Reshef, with the claimed step of designating an application path as restricted . 

Also, BRP and Reshef fail to teach, or suggest "matching an operation request to said application 
path" as claimed. Because BRP merely discloses protecting an e-commerce application, it is impossible 
to know if BRP matches incoming requests to application paths, to a destination server, or something else 
all together. Indeed, without such minimal disclosure, one cannot know whether BRP conducts any 
matching at all. It is entirely unreasonable to suggest that BRP teaches anything as specific as matching 
an operation request to an application path, as claimed. Reshef fails to cure the deficiencies of BRP at 
least because, as discussed above, Reshef identifies messages rather than application paths. 

Finally, BRP and Reshef fail to teach or suggest "determining whether said application request is 
illegal or harmful to an environment of said application according to security settings designated from 
said application path." The Examiner acknowledges AppShield does not designate an application path as 
restricted, but asserts AppShield does designate security settings for an application path. See Office 
Action page 2. Thus, the Examiner makes an improper distinction between an application path having 
security settings and being restricted. For an application path to have designated security settings, it must 
be designated as restricted ; an application path without any designated restrictions would have no 
designated security settings whatsoever. It follows that AppShield cannot teach or suggest this step. 
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Reshef does not cure the deficiencies of BRP, as Reshef has absolutely no teaching or suggestion 
regarding designating an application path of an application as restricted. 

ii. Independent Claim 27 

Independent claim 27 recites "matching each operation request to an application path, wherein 
said application path is represented by a virtual directory or a subdirectory of said application; and 
determining whether each operation request is illegal or harmful to an environment of said application," 
which is similar to the recitations discussed above and found in claim 1 . As remarked above, BRP and 
Reshef fail to teach or suggest this step. 

BRP and Reshef also fail to teach or suggest the claimed step of "applying one or more security 
pipes to each operation request, wherein the number and types of pipes applied to each operation request 
are based on said resolved destination node of each operation request." Pipes are explicitly described as 
"security components" which "protect or monitor functionality." See present specification, page 10, lines 
26-27. BRP provides no specifics regarding how AppShield actually blocks application hacks, and 
Reshef is merely concerned with discovering vulnerabilities rather than preventing hackers from using 
such vulnerabilities. Neither reference teaches nor suggests anything as specific as a pipe, applying a 
particular set of pipes to an operation request, or applying a particular set of pipes to an operation request 
based on a resolved destination node of the operation request, all of which are claimed. Again, BRP and 
Reshef simply lack the essential details necessary to render this step obvious. 

iii. Independent Claims 48 And 51 

BRP and Reshef fail to teach or suggest the claimed "means for ascertaining an application path 
of said operation request," and the Examiner does not identify any respective teaching, or suggestion of 
such. See Office Action page 9. As discussed above, the disclosure of BRP is too feeble to reasonably 
teach or suggest anything as specific as ascertaining an application path of said operation request. Reshef 
fails to cure the deficiencies of BRP, as Reshef only suggests identifying messages, which is wholly 
distinct from ascertaining an application path. 

Also, BRP and Reshef fail to teach or suggest the claimed "means for embedding said operation 
request into a data format used by said application." BRP does not touch on the subject of embedding 
operation requests into another data format, particularly one used by an application. The disclosure cited 
by the Examiner, see BRP lines 30-33, and indeed the BRP reference as a whole, fails to reasonably 
suggest to one skilled in the art embedding an operation request into a data format used by an application, 
as claimed. Reshef does not cure the deficiencies of BRP. Reshef only discloses receiving an operation 
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request for an application by the application itself ; the step of embedding said operation request into a 
data format used by said application is thus extraneous and entirely outside the teaching of Reshef. 

Finally, it follows from the discussion in Section I(B)(i) above that BRP and Reshef fail to teach 
or suggest the claimed "means for checking a contents of an operation request according to a predefined 
set of rules associated with an ascertained application path to identify if said operation request is illegal or 
harmful to an environment of an application." 

II. CONCLUSION 

Because there is no motivation to combine BRP and Reshef, and because, even if combined, BRP 
and Reshef fail to teach or suggest all the claim limitations of the pending claims, Applicant submits that 
claims 1-4, 11, 12, 15, 16, 20-22, 25-33, 36-43, and 46-54 are not rendered obvious. Applicant 
respectfully requests the obviousness rejection of said claims to be withdrawn. 

In view of the foregoing, it is respectfully submitted that the present application is in condition 
for allowance, and an early indication of the same is courteously solicited. The Examiner is respectfully 
requested to contact the undersigned by telephone at the below listed telephone number, in order to 
expedite resolution of any issues and to expedite passage of the present application to issue, if any 
comments, questions, or suggestions arise in connection with the present application. 



Paul, Hastings, Janofsky & Walker LLP for: Trevor Q. Coddington, Ph.D., Esq. 



Respectfully submitted, 





Haw-Minn Lu, Patent Agent 
Registration No. 55,407 



Customer Number: 36183 
P.O. Box 919092 



Registration No. 46,633 



San Diego, CA 92191-9092 
Telephone: (858) 720-2500 
Facsimile: (858) 720-2555 
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